This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Snakes and Ladders"

From OWASP
Jump to: navigation, search
(Current Release: JA version added)
(Volunteers: Added Takanori �Nakanowatari)
Line 246: Line 246:
 
* Yongliang He
 
* Yongliang He
 
* Cédric Messeguer
 
* Cédric Messeguer
 +
* Takanori �Nakanowatari
 
* Riotaro Okada
 
* Riotaro Okada
 
* Ferdinand Vroom
 
* Ferdinand Vroom

Revision as of 09:12, 2 December 2014

Snakes and ladders-header.png

OWASP Snakes and Ladders

Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

Editions

Web Applications

In the board game for web applications, the virtuous behaviours (ladders) are secure coding practices (from OWASP Proactive Controls project 2014) and the vices (snakes) are application security risks (from OWASP Top Ten Project 2013).

Mobile Apps

The identical board game for mobile apps uses mobile controls (from the Mobile Security Project Top Ten Controls 2013) as the virtuous behaviours and mobile risks (from the Top Ten Mobile Risks 2014 from the same project) as the vices.

Application Intrusion Detection

Coming soon.

Background

This board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached.

Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 paper size 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away.

Licensing

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

Other Security Gamification

If you are interested in using gaming for security, also see OWASP Cornucopia, Elevation of Privilege: The Threat Modeling Game, Security Cards from the University of Washington, the commercial card game Control-Alt-Hack (presentation for latter), and web application security training tools incorporating gamification such as OWASP Hackademic Challenges Project, OWASP Security Shepherd and ITSEC Games.

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at security games.

What is This?

Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized print-your-own paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks.

How to Play

  • The game is for 2-6 players.
  • Firstly print the sheet out.
  • Give each player a coloured counter (marker). To begin, each player should throw the die to determine who plays first; the highest can lead.
  • Put all the players' counters onto the first square labelled “Start 1”.
  • In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail.
  • The first player to reach “100” at the top left wins. Give a prize.

Project Leader

Colin Watson

Related Projects

Quick Download

News and Events

  • [04 Dec] Free copies at OWASP London
  • [02 Dec] Free copies at OWASP Cambridge
  • [25 Nov] Web Applications FR, JA and ZH
  • [06 Nov 2014] Project launch
  • [31 Oct 2014] Web Applications v1.0 released in DE, EN and ES
  • [31 Oct 2014] Mobile Apps v1.0 released in EN

Twitter

OWASPSnakesWeb-profile-small.jpg Follow two mock games running on Twitter:

Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Snakes_and_Ladders&oldid=186347"